Computer systems and networks can employ various measures to prevent activity by unauthorized users. For example, a network can require a username and password to authenticate a user before allowing access. However, there remains a need for a security system to better detect anomalous activity, for example, when an authenticated user is actually a malicious actor, and furthermore, there remains a need to implement such a security system in a dynamic manner that reduces the need for manual configuration with more accurate results.